Executive Summary

CVE-2026-31017 is a Server-Side Request Forgery (SSRF) vulnerability found in the Print Format PDF generation functionality of ERPNext v16.0.1 and the Frappe Framework v16.1.1.

The issue occurs because the application uses wkhtmltopdf, a tool that renders PDFs from user-supplied HTML content, and does not sufficiently sanitize this HTML before rendering.

Specifically, HTML elements like <iframe> and <img> that reference external resources are allowed, and wkhtmltopdf automatically fetches these resources on the server side.

An attacker can exploit this by injecting malicious URLs into these HTML tags, causing the server to make arbitrary HTTP requests to internal services, including sensitive cloud metadata endpoints.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to make the server perform arbitrary HTTP requests to internal services that are normally inaccessible from outside.

Such SSRF attacks can lead to sensitive information disclosure, including access to cloud metadata services like AWS or GCP metadata endpoints.

Attackers may use this to enumerate internal networks, gather confidential data, or potentially leverage this access for further attacks within the internal environment.

Useful 0 Not Useful 0

Detection Guidance

Detection of this SSRF vulnerability involves monitoring for unusual server-side HTTP requests initiated during PDF generation from user-supplied HTML content, especially requests to internal or cloud metadata endpoints.

Since the vulnerability exploits the PDF rendering engine (wkhtmltopdf) fetching external resources like those in <iframe> or <img> tags, you can detect it by inspecting logs for unexpected outbound HTTP requests from the server.

• Check web server or application logs for HTTP requests to internal IP ranges or cloud metadata IPs (e.g., 169.254.169.254 for AWS).
• Use network monitoring tools (e.g., tcpdump or Wireshark) to capture outbound HTTP requests from the server during PDF generation.
• Example command to monitor outbound HTTP requests on port 80 or 443: sudo tcpdump -i eth0 'tcp dst port 80 or tcp dst port 443'
• Search application logs for suspicious user-supplied HTML containing <iframe> or <img> tags with external URLs.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows attackers to perform Server-Side Request Forgery (SSRF) attacks that can lead to the disclosure of sensitive information by forcing the server to access internal services, including cloud metadata endpoints.

Such unauthorized access and potential exposure of sensitive data could impact compliance with data protection regulations and standards like GDPR and HIPAA, which require safeguarding personal and sensitive information from unauthorized access or disclosure.

Therefore, exploitation of this vulnerability may result in violations of these regulations due to the risk of sensitive information leakage.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting the server's ability to make arbitrary outbound HTTP requests during PDF generation and sanitizing user-supplied HTML content.

• Apply input validation and sanitization to remove or restrict HTML elements like <iframe> and <img> that can reference external resources.
• Configure network-level controls such as firewall rules to block the server from accessing internal services and cloud metadata endpoints.
• If possible, update ERPNext and Frappe Framework to versions that address this vulnerability once patches are released.
• Consider disabling or restricting the use of wkhtmltopdf or the PDF generation feature for untrusted user input until a fix is applied.

Useful 0 Not Useful 0